Publish trivy-db to docker.io ?

[strowi]

Hi,

it seems ghcr.io has changed something about their rate-limits causing [some problems](aquasecurity/trivy-action#389.

As we are using Gitlab-CI and already have a Harbor Proxy running, we tried to circumcent this via a harbor-proxy, but that doesn't seem to work successfully with ghcr.io (still running into rate-limits).

Turns out Harbor supports the HEAD-Request/Proxy-Mechanism only for docker.io.

Therefore it would be nice if this could also be published to docker.io so people NOT on github can work around this?
(I checked and only found a 1y old aquasec/trivy-db )
regards,
strowi

[knqyf263]

Docker Hub has very strict rate limits. I'm not sure how much Docker Hub helps address this issue.
https://docs.docker.com/docker-hub/download-rate-limit/#whats-the-download-rate-limit-on-docker-hub

We're trying to use ECR Public now. Once we complete it, we'll think about Docker Hub.
#440

[strowi]

Thx for the info, must've missed that ECR Issue.

As for Docker-Hub, it would at least help with Harbor (other proxies?), since the HEAD-Requests don't count towards the Rate-limit.

As of Harbor v2.1.1, Harbor proxy cache fires a HEAD request to determine whether any layer of a cached image has been updated in the Docker Hub registry.

Not sure if/which other Proxies do support HEAD requests to Registries other than Docker-Hub.

[wkoot]

Is there an option to include a token, which allows for a higher rate limit?

[knqyf263]

Is there an option to include a token, which allows for a higher rate limit?

If you're asking about GITHUB_TOKEN, it doesn't seem to help now.

[wkoot]

Yes, either GITHUB_TOKEN or for instance a DOCKER_TOKEN if this feature would be implemented.
I'm assuming here that moving to ECR Public Gallery will also feature rate limiting, in the form of bandwidth quotas.

[antdking]

Having it in DockerHub would allow us to use Gitlab's builtin Dependency Proxy

Unfortunately it doesn't support other public registries yet

[strowi]

I tested this with ECR, and ran into similar problems.
For now i created a Replication Rule in Harbor that will sync the image once a day and pointed the Container Image there.

[knqyf263]

Having it in DockerHub would allow us to use Gitlab's builtin Dependency Proxy

Thanks. We didn't know of that. We'll publish DB to Docker Hub as well.

[wkoot]

Just like it would allow the Gitlab proxy, shouldn't this work with any proxy (and therefore reduce load)?
Therefore, setting up a local Registry as a pull through cache should be possible.
If so, this is worth explicitly documenting on https://aquasecurity.github.io/trivy/v0.56/docs/configuration/db/

[knqyf263]

@wkoot I tested a proxy for DBs, but it didn't work, although container images worked. I think it's a new feature request. Can you please open an issue?